Umbraco allows possible Admin-level access to backoffice without Auth under rare conditions
CVE-2023-37267

7.5HIGH

Key Information:

Vendor: Umbraco
Status: Umbraco-cms
Vendor: CVE Published:; 13 July 2023

🔔 Create Umbraco Vulnerability Alert

What is CVE-2023-37267?

The Umbraco ASP.NET CMS has a vulnerability that, under specific rare conditions, may allow unauthorized users to gain admin-level permissions following a system restart. This issue potentially compromises the security of the CMS, making it critical for admins to update to the patched versions 10.6.1, 11.4.2, and 12.0.1. Immediate action is advised to protect your systems.

Affected Version(s)

Umbraco-CMS >= 9.0.0, < 10.6.1 < 9.0.0, 10.6.1

Umbraco-CMS >= 11.0.0, < 11.4.2 < 11.0.0, 11.4.2

Umbraco-CMS = 12.0.0 = 12.0.0

References

https://github.com/umbraco/Umbraco-CMS/security/advisorie...

x_refsource_CONFIRM

https://github.com/umbraco/Umbraco-CMS/commit/1f26f2c6f34...

x_refsource_MISC

https://github.com/umbraco/Umbraco-CMS/commit/20a4e475c8d...

x_refsource_MISC

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jul 13, 2023
Vulnerability Reserved
Jun 29, 2023

.